Many payroll companies and third-party administrators (“TPA”) ascertain Service Organization Controls (“SOC 1”) Reports on the Suitability of the Design and Operating Effectiveness of Controls. These reports summarize the opinion and results of the audit of internal controls in place at the service provider. In addition, these reports provide complementary user entity controls, which list internal controls that the Benefit Plan Sponsor should have in place in order to mitigate the risk that a failure of internal controls at the service organization would introduce errors into the Plan.
An essential part of running a Plan which is in compliance with applicable laws includes ensuring that the Plan Sponsor has adequate controls to compensate for any deficiencies the service provider may experience. Internal controls should be proactive instead of reactionary. In order to achieve this, the Plan Sponsor should obtain and review a copy of the SOC1 for any service organization used to administer the plan. The key highlights of the report, which should be reviewed, are:
- The audit opinion
- Scan for any exceptions in testing procedures
- Review and consideration of complementary user entity controls
Reviewing the audit opinion for any qualifications, can help the Sponsor to identify any areas where risk of error may be greater due to a control failure at the service organization. Especially when there is a qualification, it is helpful to scan for testing exceptions in order to gain an understanding of the control failure that occurred and assess whether the Plan Sponsor has a control in place to reduce the risk of errors. Finally, it is important to review and consider the complimentary user entity controls within the SOC1, not only to ensure that the Plan Sponsor has addressed service organization control failures in the current year, but to ensure that the Plan Sponsor has adequate controls over other significant areas within the Plan, including, but not limited to the following:
- Ensuring plan provisions are setup correctly, such as: vesting, matching, etc.
- Ensuring balances remain accurate after a plan transfer (to a new TPA or a different platform with the current TPA)
- Ensuring participant accounts are setup and maintained to reflect all relevant information about the participant, accuracy of employee deferrals, accounting for loans, etc.
- Ensuring plan asset valuation and allocation of earnings is appropriate
- Ensuring data is backed-up properly in case of disaster.
Ensuring Plan Sponsor controls are adequate can result in a more efficient audit, and reduce the risk of the Plan failing to be in compliance with applicable laws.